Curves with a Twist

5 min read • Alec Liu

Jun 26, 2014

Ripple Labs is considering the addition of a new elliptic curve implementation to the Ripple protocol to complement the existing cryptographic system. The addition of a Schnorr-based cryptosystem will produce more optimal and secure design schemes and provides a platform for robust and sophisticated functionality while preserving existing network structure and efficiency.

Currently, the Ripple protocol uses Koblitz curves with secp256k1 parameters and ECDSA signatures as defined in the Standards for Efficient Cryptography (SEC) by Certicom, which is the same cryptosystem that powers Bitcoin.

After months of analysis and testing, we’ve concluded that a Schnorr-based cryptosystem will greatly enhance the security, flexibility, and performance of the Ripple protocol. The system we’re currently testing is Ed25519.

Our initial tests and analysis suggest significant performance gains with the new curve. Curve25519 halves verification time versus secp256k1 based on efficient implementations of both curves. These results were achieved with lower variance, which point to the constant time properties of Curve25519.

In combination, the new curve implementation is expected to quadruple performance versus secp256k1 based on our preliminary benchmarking.

The signature scheme: Schnorr

The Schnorr signature scheme also adds key benefits in comparison to ECDSA. Adam Back, the inventor of Hashcash (the proof-of-work system used in Bitcoin), sums up the benefits of Schnorr as follows: “simple blinding, compact multi-sig, clearer security proofs, better security margin, less dependence on hash properties.”

DSA schemes are difficult to manage because the schemes are easy to get wrong. An improper implementations is trivial to break, and what might seem like a minor misstep can precipitate a system-wide vulnerability—as demonstrated by the highly publicized Playstation hack in 2012.

Hackers were able to access full control of the PS3 employing “simple algebra” after Sony set a constant in its custom DSA implementation instead of a randomly generated number. The sensitivity of DSA signatures to human error allowed this single oversight to fully compromise the console’s encryption protections, exposing the platform and Sony’s partners to the perpetual threat of piracy.

Multi-signature schemes require the network to verify each signature, increasing load with the number of participants. Conversely, threshold signatures are generated offline and result in a single signature regardless of total number of parties participating.

ECDSA can create threshold signatures, but requires multi-party computation. This means that the number of participants required to generate a signature without revealing their secrets is twice the number of shares required to recover the key. In contrast, Schnorr has no such restriction. Shares of a signature can be independently verified and then composed.

Ed25519 allows more optimal designs regarding security, distribution, and, performance. The added flexibility will become increasingly relevant going forward as we supplement sophisticated functionality to the Ripple network—particularly in the area of smart contracts and oracle systems (such as Reality Keys, winner of the Startup Challenge sponsored by Ripple Labs at Bitcoin 2014 in Amsterdam)—where we have dedicated significant efforts behind the scenes.